You can optionally verify digital signatures of Windows sensor installation files.

Prepare to Verify Windows Sensor Digital Signatures

Perform the following steps to prepare to verify Windows sensor digital signatures.

Procedure

  1. Download the Microsoft Windows SDK.
  2. Install all components of the SDK.
    Note: SignTool is usually installed under C:\Program Files (x86)\Windows Kits\10\bin, but the exact location depends on the version of the SDK and your operating system. For example, it can be installed in any of the following (or other) locations:
    • C:\Program Files (x86)\Windows Kits\10\App Certification Kit\signtool.exe
    • C:\Program Files (x86)\Windows Kits\10\bin\x86\signtool.exe
    • C:\Program Files (x86)\Windows Kits\10\bin\x64\signtool.exe
  3. Add the location of the Signtool binary to your PATH environment variable.
    1. Press the Windows key.
    2. Type env.
    3. Click Edit the System Environment Variables.
    4. Click Environmental Variables.
    5. Select Path and click Edit.
    6. At the end of the existing value, add the Signtool location. A semicolon (;) must separate the old value from the new value. For example:
      • old value = %USERPROFILE%\AppData\Local\Microsoft\WindowsApps;
      • new value = %USERPROFILE%\AppData\Local\Microsoft\WindowsApps;C:\Program Files (x86)\Windows Kits\10\App Certification Kit\
    7. Click OK three times to save your changes and exit the editor.

Verify the Signature of a Windows Sensor Install Package

Run the following procedure to verify the signature of a Windows sensor install package.

Procedure

  1. Open a command prompt window.
  2. Run the following command, where $file_to_verify is the name of the install package:
    signtool.exe verify /pa /hash SHA256 /all $file_to_verify
    • The /pa parameter instructs Signtool to check for code signing.
    • An optional /hash SHA256 parameter instructs Signtool to only check the SHA256 signatures.
    • The /all parameter instructs Signtool to check all signatures on the file.

Verify Multiple Files Digital Signatures

You can follow this procedure to verify multiple Windows sensor files. This procedure generally applies to installed products/packages.

Prerequisites

You must know which files can be verified. Typically, files that cannot be verified change during the use of the product, such as configuration files or JIT compiled files.

Procedure

  1. Create a file that contains a list of files to verify, one file name per line. The following example includes relevant files for a x64 install package:
    C:\users\user_name\desktop\cbd-setup64-3.8.0.276.msi
    C:\program files\confer\api-ms-win-core-console-l1-1-0.dll
    C:\program files\confer\api-ms-win-core-datetime-l1-1-0.dll
    C:\program files\confer\api-ms-win-core-debug-l1-1-0.dll
    C:\program files\confer\api-ms-win-core-errorhandling-l1-1-0.dll
    C:\program files\confer\api-ms-win-core-file-l1-1-0.dll
    C:\program files\confer\api-ms-win-core-file-l1-2-0.dll
    C:\program files\confer\api-ms-win-core-file-l2-1-0.dll
    C:\program files\confer\api-ms-win-core-handle-l1-1-0.dll
    C:\program files\confer\api-ms-win-core-heap-l1-1-0.dll
    C:\program files\confer\api-ms-win-core-interlocked-l1-1-0.dll
    C:\program files\confer\api-ms-win-core-libraryloader-l1-1-0.dll
    C:\program files\confer\api-ms-win-core-localization-l1-2-0.dll
    C:\program files\confer\api-ms-win-core-memory-l1-1-0.dll
    C:\program files\confer\api-ms-win-core-namedpipe-l1-1-0.dll
    C:\program files\confer\api-ms-win-core-processenvironment-l1-1-0.dll
    C:\program files\confer\api-ms-win-core-processthreads-l1-1-0.dll
    C:\program files\confer\api-ms-win-core-processthreads-l1-1-1.dll
    C:\program files\confer\api-ms-win-core-profile-l1-1-0.dll
    C:\program files\confer\api-ms-win-core-rtlsupport-l1-1-0.dll
    C:\program files\confer\api-ms-win-core-string-l1-1-0.dll
    C:\program files\confer\api-ms-win-core-synch-l1-1-0.dll
    C:\program files\confer\api-ms-win-core-synch-l1-2-0.dll
    C:\program files\confer\api-ms-win-core-sysinfo-l1-1-0.dll
    C:\program files\confer\api-ms-win-core-timezone-l1-1-0.dll
    C:\program files\confer\api-ms-win-core-util-l1-1-0.dll
    C:\program files\confer\api-ms-win-crt-conio-l1-1-0.dll
    C:\program files\confer\api-ms-win-crt-convert-l1-1-0.dll
    C:\program files\confer\api-ms-win-crt-environment-l1-1-0.dll
    C:\program files\confer\api-ms-win-crt-filesystem-l1-1-0.dll
    C:\program files\confer\api-ms-win-crt-heap-l1-1-0.dll
    C:\program files\confer\api-ms-win-crt-locale-l1-1-0.dll
    C:\program files\confer\api-ms-win-crt-math-l1-1-0.dll
    C:\program files\confer\api-ms-win-crt-multibyte-l1-1-0.dll
    C:\program files\confer\api-ms-win-crt-private-l1-1-0.dll
    C:\program files\confer\api-ms-win-crt-process-l1-1-0.dll
    C:\program files\confer\api-ms-win-crt-runtime-l1-1-0.dll
    C:\program files\confer\api-ms-win-crt-stdio-l1-1-0.dll
    C:\program files\confer\api-ms-win-crt-string-l1-1-0.dll
    C:\program files\confer\api-ms-win-crt-time-l1-1-0.dll
    C:\program files\confer\api-ms-win-crt-utility-l1-1-0.dll
    C:\program files\confer\concrt140.dll
    C:\program files\confer\msvcp140.dll
    C:\program files\confer\ucrtbase.dll
    C:\program files\confer\vccorlib140.dll
    C:\program files\confer\vcruntime140.dll
    C:\program files\confer\BladeRunner.exe
    C:\program files\confer\CbNativeMessagingHost.exe
    C:\program files\confer\RepCLI.exe
    C:\program files\confer\RepMgr.exe
    C:\program files\confer\RepUtils.exe
    C:\program files\confer\RepUx.exe
    C:\program files\confer\RepWAV.exe
    C:\program files\confer\RepWmiUtils.exe
    C:\program files\confer\RepWSC.exe
    C:\program files\confer\Uninstall.exe
    C:\program files\confer\VHostComms.exe
    C:\program files\confer\blades\livequery\osqueryi.exe
    C:\program files\confer\blades\livequery\exts\cbc_plugin_extension.ext.exe
    C:\program files\confer\blades\livequery\exts\cbosqext.dll
    C:\program files\confer\scanner\apcfile.dll
    C:\program files\confer\scanner\apchash.dll
    C:\program files\confer\scanner\avupdate.dll
    C:\program files\confer\scanner\msvcr120.dll
    C:\program files\confer\scanner\savapi.dll
    C:\program files\confer\scanner\scew.dll
    C:\program files\confer\scanner\scanhost.exe
    C:\program files\confer\scanner\upd.exe
  2. Create a batch file that contains the following text:
    @echo off
    set FILE=list_of_files
    set numFiles=0
    set numGoodSigs=0
    setlocal ENABLEDELAYEDEXPANSION
     
    for /f "delims== tokens=1,2" %%G in (%FILE%) do (
      if not exist "%%G\*" (
        set /a numFiles=numFiles+1
        (signtool verify /all /hash SHA256 /pa "%%G") && (set /a numGoodSigs=numGoodSigs+1)
      )
     
      @echo. & @echo.
    )
     
    set /a numBadSigs=numFiles-numGoodSigs
     
    echo %numFiles% files checked
    echo %numGoodSigs% verified files
    echo %numBadSigs% UNverifiable files
  3. Change the value of FILE in the batch file to specify the file that you created in Step 1.
  4. Run the batch file.

Results

A summary of how many files could or could not be verified is written at the end of the output. For example:

File: C:\program files\confer\api-ms-win-core-console-l1-1-0.dll
Index  Algorithm  Timestamp    
========================================
0      sha1       Authenticode
1      sha256     RFC3161

Successfully verified: C:\program files\confer\api-ms-win-core-console-l1-1-0.dll

67 files checked
67 verified files
0 UNverifiable files